Cybercriminals are attempting to trick Indian users into disclosing sensitive personal details, according to a new report released on Monday. Suspicious messages asking users to send an application for the disbursement of an income tax refund have been circulating, with a connection that directs users to a webpage that looks similar to the income tax e-filing website. According to an investigation by the New Delhi-based think tank CyberPeace Foundation, hackers have launched a phishing scam targeting Indian bank customers. This includes the State Bank of India, ICICI, HDFC, Axis Bank, and Punjab National Bank.
The report states that the suspicious links originate in the United States and France, and the campaign is gathering personal and banking information from users. Falling into this trap could result in a major financial loss for users.
How does the scam work?
The URL shared through the SMS has no domain name and is unrelated to the Indian government. According to the report, all IP addresses associated with the initiative belong to third-party dedicated cloud hosting providers.
Instead of using the encrypted HTTPS protocol, the entire campaign uses plain HTTP. This ensures that everyone on the network or the internet can intercept traffic and obtain sensitive data in plain text, which they can use against the victim.
The SMS contains instructions to download an app from a third-party source rather than from Google Play. The program demands administrator privileges and unnecessary system control permissions.
Users are routed to a landing page that looks a lot like the government’s e-filing website when they click on the link http://204.44.124[.]160/ITR. Users are asked to enter personal details such as their full name, PAN, Aadhar number, address, pin code, date of birth, mobile number, email address, gender, marital status, and banking information such as account number, IFSC code, card number, expiry date, CVV/CVC, and card PIN after clicking the green ‘Proceed to the verification steps’ button. The bank name is also automatically detected using the IFSC code entered in the form.
Users are guided to a page after submitting details, where they are asked to validate the information they have entered. When users click the green ‘confirm’ button, they are taken to a fake banking login page that looks almost identical to the official one. It requests your online banking username and password.
After these details have been entered, users will be prompted to enter a Hint question, Response, Profile password, and CIF number in the next stage. Following submission, a mobile verification section appears, with instructions for installing an Android application (.apk file) to finish the ITR verification. Investigations revealed that users are expressly advised to grant all system permissions to the relevant application. When you click the green ‘Download’ icon, the application Certificate.apk begins to download. According to the report, the overall layout and functionalities of the web page used in the campaign are close to those of the official e-filing site to entice laypeople.
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.